2017-08-26T14:01:00Z
Sujit Sharma - PeerSpot reviewer
Information Security Engineer at a tech services company with 1,001-5,000 employees
  • 10
  • 227

What do you recommend for a securing Web Application?

We required a 24/7 automated vulnerability monitoring tool for securing our web applications. We are looking for options like Sitelock and Immuniweb.

13
PeerSpot user
13 Answers
Vaisakh Tr - PeerSpot reviewer
Chief Technology Officer at Prophaze
Consultant
2021-03-03T01:27:49Z
Mar 3, 2021

There are many products out there that work as a WAF. WAF is not really aware of the application it is securing. There are solutions that block DDoS attacks (it needs a bit of muscle power as well). The other issue is the attack of automated bots in the system. AS of now none of the security vendors gives a full stack of protection against these attacks 

http://prophaze.com/ is the only solution that is more of a WAF + RASP + BOT + DDOS solution which is built on Kubernetes architecture. It is the first distributed cloud security solution on microservices that can secure your APIs, Web Apps from highly sophisticated attacks. 

Its behavioral learning algorithm understands the HTTP flow of the API or web application it is securing and will create a score based on the various accepted behavior in the application. Prophaze during its initial 14 days of the trial will automatically profile the applications using its ML-based algorithms 


Important Features


 Virtual Patching


 Bot Mitigation



Product comparison that may be of interest to you
it_user550380 - PeerSpot reviewer
Chief Security Architect at a comms service provider with 501-1,000 employees
MSP
2017-09-28T02:15:34Z
Sep 28, 2017

In my experience the best option is to make dast and sast before each change of web app, also you can access to this type of service with HP Fortify On Demand. By the way if you want to have a very good balance with protection and a good VA service you can use the F5 Silverline WAF Managed they have their own SOC to deliver VA and they adjust the WAF policies for you and deliver a report for any change and they have dashboards to verify Any security or performance concern.

it_user648771 - PeerSpot reviewer
User at Akamai
Real User
2017-09-26T18:42:28Z
Sep 26, 2017

While Cloudflare and AWS offer similar solutions, they do not have the scale, or customizable rule sets necessary for a large enterprise. The pricing is misleading, as it's cheap for the basics, but for a large enterprise's needs, the pricing at Akamai is extremely competitive and the value is unmatched.

Akamai Security Services-Gartner Magic Quadrant for Web Application Firewalls 2017 -- Akamai is now a LEADER

Please click on this link to learn more : http://pd.lnkd.in/uwo9sv3

Akamai has a comprehensive security portfolio, serving the largest global enterprises, and government agencies. Lastly, Akamai's Bot Manager with credential abuse mitigation is a leader in identifying and mitigating these types of malicious attacks better than anyone in the market!

it_user218361 - PeerSpot reviewer
IT Risk and Security Analyst at a university with 1,001-5,000 employees
Vendor
2017-09-26T02:19:32Z
Sep 26, 2017

I haven't heard about SiteLock or Immuniweb, but I have used Qualys Web Application Scanning (WAS) and IBM SiteProtector. They are great vulnerability tools. I just want to add to what Omar said, having IDS/IPS tools like FireEye or QRadar is also benefits to protect assets. Let us know what your decision is.

Real User
2017-09-26T06:39:28Z
Sep 26, 2017

Hi, to secure completely your web application you need to:
1) Use tools that check against vulnerabilities at run time
2) Use code review tools, that looks for common vulnerabilities documented by OWASP and CWE.

Options 1 and 2 are mandatory and complementary at the same time.
Option 2 is interesting because it will give you an exhaustive report of vulnerabilities location.
Option 1 is interesting because it allows you to check if there is any vulnerabilities left at run time.

For option 2 you can look for Kiuwan (www.kiuwan.com). I'm using it for auditing security issues in web applications, and it has great vulnerabilities coverage.

it_user498738 - PeerSpot reviewer
Sedurity Architect at PeerSpot
Vendor
2017-09-26T03:12:31Z
Sep 26, 2017

A WAF can be an excellent solution, most of them are design to absorb large attacks such as DDOS attacks and also protects against common application attacks (SQLi, XSS, etc). Akamai is a good example of a CDN which includes WAF a cheaper option can be Cloudfare or AWS .

Based on my experience I know Akamai WAF can generate a detail report with the type of attacks that is trying to be exploited as well bot information and GEO Tags.

Find out what your peers are saying about Palo Alto Networks, Fortinet, F5 and others in Web Application Firewall (WAF). Updated: November 2022.
653,522 professionals have used our research since 2012.
it_user743652 - PeerSpot reviewer
Security Research Engineer at Lookout
Vendor
2017-09-25T23:39:59Z
Sep 25, 2017

There are various tools out there in the market such as web application firewalls (WAFs), DDoS prevention, and vulnerability scanning tools at various levels (host vs. web). You need to select a combination of the right toolset to do the job. However, web security is not just about the tools, you need to conduct proper assessment of your environment through penetration testing, code review, architecture review and so forth.

KL
Instructor & Principal Consultant
User
2017-10-12T02:05:20Z
Oct 12, 2017

Hi, there are various stages in protecting from web vulnerabilities.
Start using tools like Web application scanner (like Netsparker) to eliminate false positives.
Hardened your web applications.
Deployed an on-prem WAF (with scrubbing) together with cloud WAF (big leaders like Akamai, Cloudflare or Incapsula can mitigate DDoS).
Total protection comes with on-going monitoring depending on your policies.

it_user565065 - PeerSpot reviewer
User at Citrix Systems, Inc.
Real User
2017-09-26T05:54:25Z
Sep 26, 2017

Consider Netscaler application firewall and mas.

it_user371583 - PeerSpot reviewer
User at Cloudbric
Vendor
2017-09-26T04:14:53Z
Sep 26, 2017

[Disclosure: I work for Beyond Security]. Some companies rebrand technologies by other vendors, therefore you need to take that into account. Solutions like DDoS focus on service availability, whereas WAF- as its name implies, is a narrowly focused firewall with eyes on HTTP traffic. Web App Scanning offered by vulnerability management companies including mine both vertically and horizontally go deeper by examining the assets and Apps behind a given site and identify security holes in them (a few vendors also verify the level and accuracy of vulnerability by deploying pentesting methods such as the use of exploits). The frequency of scans will determine the available window for remediation if a vulnerability is found- thus there is no such thing as continuous monitoring in real-time. Only snake oil salespeople can offer that. In brief, your best bet is to combine WAF and WAS (for example, a combination of readymade integrations such as Beyond Security and Imperva).

it_user371583 - PeerSpot reviewer
User at Cloudbric
Vendor
2017-09-26T03:21:36Z
Sep 26, 2017

Identity Management solutions can mitigate web application security breach. Vulnerability monitoring is possible though Enterprise Manager(EM) Suite. Most of the EM by different vendor has capacity to bundle the product to protect vulnerability and security.

it_user648771 - PeerSpot reviewer
User at Akamai
Real User
2017-09-25T23:31:55Z
Sep 25, 2017

Akamai’s Cloud based Security solutions.

it_user371583 - PeerSpot reviewer
User at Cloudbric
Vendor
2017-09-25T23:28:57Z
Sep 25, 2017

We required a 24/7 automated vulnerability monitoring tool for securing
our web applications. We are looking for options like Sitelock and Immuniweb.

Related Questions
Julia Frohwein - PeerSpot reviewer
Senior Director of Delivery at PeerSpot (formerly IT Central Station)
Aug 24, 2021
Please share with the community what you think needs improvement with ImmuniWeb. What are its weaknesses? What would you like to see changed in a future version?
See 2 answers
Roger Brecht - PeerSpot reviewer
Director of Operations at Stega
Jan 29, 2020
A great idea would be to support using Discovery on the internal network, allowing delivery of all the features of the current Discovery to internal network resources. That would be a great contribution to large companies that don´t have an inventoried and effective risk score of the assets internally. In the same way that it can deliver On-Demand WAPT or MAPT for internal network applications through a virtual machine provided by ImmuniWeb, this could be done for the Discovery of the internal network.
Paul Young Okkamy - PeerSpot reviewer
IT Department Manager at Okkamy
Aug 24, 2021
You may find the dashboard a bit complicated. That's because of a large number of features. If ImmuniWeb will make a kind of presentation on how to work with a platform when you log in for the first time, that would be ideal. On the other hand, ImmuniWeb holds monthly webinars where they explain how to use the platform. I took part in one of them and found out a lot of new options I didn't know about before. A great idea would be to make a mobile application for the ImmuniWeb portal so that all information would be available on the go and from a mobile phone as well. It would be much more convenient.
Julia Frohwein - PeerSpot reviewer
Senior Director of Delivery at PeerSpot (formerly IT Central Station)
Aug 24, 2021
Hi, We all know it's really hard to get good pricing and cost information. Please share what you can so you can help your peers.
See 2 answers
Roger Brecht - PeerSpot reviewer
Director of Operations at Stega
Jan 29, 2020
The values of ImmuniWeb are currently significantly below what is valued in the Chilean market for these services and solutions.
Paul Young Okkamy - PeerSpot reviewer
IT Department Manager at Okkamy
Aug 24, 2021
I would advise users to start with a small package. Other packages may look costly for an SMB. That said, the price/value ratio is perfect.
Related Articles
Deena Nouril - PeerSpot reviewer
Tech Blogger
Aug 5, 2022
What is OWASP? The OWASP or Open Web Application Security Project is a nonprofit foundation dedicated to improving software security. It operates under an open community model, meaning that anyone can participate in and contribute to OWASP-related online chats and projects. The OWASP ensures that its offerings (online tools, videos, forums, events, etc.) remain free and are easily accessible t...
See 2 comments
Ben Arbeit - PeerSpot reviewer
Manager at a retailer with 51-200 employees
Jul 31, 2022
Thanks for this informative article.
Jairo Willian Pereira - PeerSpot reviewer
Information Security Manager at a financial services firm with 5,001-10,000 employees
Aug 5, 2022
OWASP is nice, but very specific and currently limited. How about trying ISO-24772 for all?
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Mar 18, 2022
Hi community members, Here we go with a new Community Spotlight. We publish it to help YOU catch up on recent contributions by community members. Trending What open-source HCI solution do you recommend? How much time does SSO save? What are the main technical differences between Microsoft Power Automate and Blue Prism? Articles Top HCI in 2022 What is Web Design? The Ultima...
Related Articles
Deena Nouril - PeerSpot reviewer
Tech Blogger
Aug 5, 2022
What is OWASP Top 10 in 2022
What is OWASP? The OWASP or Open Web Application Security Project is a nonprofit foundation dedi...
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Mar 18, 2022
Community Spotlight #10
Hi community members, Here we go with a new Community Spotlight. We publish it to help YOU catch...
Download Free Report
Download our free Application Security Testing (AST) Report and find out what your peers are saying about SiteLock, High-Tech Bridge, Checkmarx, and more! Updated: November 2022.
DOWNLOAD NOW
653,522 professionals have used our research since 2012.